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The MAILING DATE of this communication appears on the cover sheet with the correspondence address 
Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1.136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 
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- Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1 )K Responsive to comnnunication(s) filed on 24 September 2003 . 
2a)IEI This action is FINAL. 2b)n This action is non-final. 

3) n Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 1 1 , 453 O.G. 213. 
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4) S Claim(s) 1-35 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) 13 Claim(s) 23 and 27-30 is/are allowed. 

6) 1E1 Claim(s) 1-22,24-26 and 31-35 is/are rejected. 
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1 .□ Certified copies of the priority documents have been received. 
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3. n Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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37 CFR 1.78. 

a) D The translation of the foreign language provisional application has been received. 
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reference was included in the first sentence of the specification or in an Application Data Sheet. 37 CFR 1 .78. 



Attach ment(s) 

1) S Notice of References Cited (PTO-892) 

2) CH Notice of Draftsperson's Patent Drawing Review (PTO-948) 

3) O Infomriation Disclosure Statennent(s) (PTO-1449) Paper No(s)_ 



4) □ Interview Sunnnnary {PTO-413) Paper No(s). 

5) n Notice of Informal Patent Application (PTO-152) 

6) □ Other: 



U.S. Patent and Trademark Office 
PTOL-326 (Rev. 11-03) 



Office Action Summary 



Part of Paper No. 7 





Application/Control Number: 09/603,356 
Art Unit: 2153 



Page 2 



DETAILED ACTION 



This Office action is in response to Applicants request for reconsideration and 
Affidavit filed under 37 CFR 1.131 on September 24, 2003. Claims 1-35 are presented 
for further consideration. These are the original claims, which have not been amended. 



The Affidavit filed on September 24, 2003 under 37 CFR 1 .131 has been 
considered but is ineffective to overcome the M2 Presswire reference. 

The evidence submitted is insufficient to establish a reduction to practice of the 
invention in this country or a NAFTA or WTO member country prior to the effective date 
of the M2 Presswire reference. The only evidence supplied by Applicant is a series of 
letters sent between the Applicant and Applicant's representative regarding the 
formation and subsequent editing of the patent application. This is insufficient to show 
that the applicant reduced to practice the claimed invention prior to the date asserted of 
May 3, 2000. 

To establish a priority date for 37 CFR 1 .131 purposes, Applicant must present 
evidence sufficient to show that the claimed invention was conceived or reduced to 
practice prior to the date alleged. Evidence can include documents such as sketches, 
blueprints, photographs, reproductions of notebook entries, a model, attached 
supporting statements, testimony given in an interference, or disclosure documents. 
See MPEP § 715.07. Here, the documents submitted by Applicant are not enough to 
prove that the claimed invention pre-dates the May 3, 2000 date. They merely prove 
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that the general patent application was a work in progress. One can only assume that 
the referred-to patent application drafts disclosed conception or reduction to practice of 
the claimed invention. A date of priority cannot rest on such assumptions. 

Thus, for purposes of examination, the date of priority for the claimed invention 
remains the filing date of June 24, 2000. 



Applicant has made no arguments regarding the application of the art cited by 
Examiner as it relates to the 35 USC 103 rejections. 

Note that Examiner took Official Notice with regard to certain well-known claim 
limitations. Applicant has not traversed these assertions. Therefore, Applicant's failure 
to traverse these Official Notice statements serves as evidence of Applicant's admission 
that the asserted features are in fact well known in the art. See MPEP § 2144.03(C). 



The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 



1. Claims 1-22, 24-26, and 31-35 are rejected under 35 U.S.C. 103(a) as being 
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Claim Rejections - 35 USC § 103 



unpatentable over Parker (Single Sign-On Systems - the Technologies and the 
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Products," 1995), in view of M2 Presswire ("Encommerce," May 3, 2000, hereinafter 

"M2"). 

In considering claims 1, 24. and 26, Parker discloses a method, network device, 
and computer usable medium for conveying access control information (a.c.i.) from one 
network device to another network device through an end user device, comprising: 
The one network device ("remote security server") in response to a first message 
received from the end user device ("user") containing access control information 
("authentication ticket"), sending a response message ("access ticket") to the end user 
device containing the a.c.i. (p. 152, ^ 3, lines 1-5), the response message being 
adapted to cause the end user device to send a second message to the another 
network device ("target") containing at least part of the a.c.i. (p. 152, ^ 3, lines 5-6); 
Wherein at least part of the a.c.i. is used to control access to a protected resource on at 
least one of the first and second network devices (p. 152, H 3, wherein the tickets are 
used to access protected resources). 

However, Parker does not disclose that the two network devices are on different 
domains. Instead, Parker simply states that the two servers are "part of the single sign- 
on product." Nonetheless, including network devices from different domains on a single 
sign-on system is well known, as evidenced by M2. In a similar art, M2 discloses a 
multi-domain single sign-on system that allows Internet domains owned by different 
companies or business partners to both participate in the single sign-on system (p. 1 , 
last paragraph). Thus, given the teaching of M2, it would have been obvious to a 
person having ordinary skill in the art to use the single sign-on system taught by Parker 
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for multiple domains, as taught by M2, so that different e-commerce companies can 
coordinate their user access and information to gain market share. 

In considering claim 2, Parker further discloses that the response message 
contains the a.c.i. (the "access ticket") and a network device identifier for the another 
network device (i.e. receipt of the access ticket instructs the user device to access the 
another network device, p. 152, 1} 3). Parker further discloses that the second message 
contains at least part of the a.c.i. (p. 152, ^ 3, i.e. the "access ticket"). 

However, neither Parker nor M2 discuss which part of the communication packet 
(i.e. header or content portion) contains the a.c.i. Nonetheless, Examiner takes official 
notice that including information in either the header or content portion of a data packet 
is well known in the art. Thus, storing the a.c.i. in the content portion, as claimed in 
claim 2, rather than in the header portion is a matter of design choice, and would have 
been obvious to a person having ordinary skill in the art to simplify header processing of 
the packet. 

In considering claim 3, Parker further discloses that the first message has a 
header portion and a content portion (inherent in any Internet communication system), 
and further discloses extracting the a.c.i. from the packet for use in the response 
message (p. 152, 3, wherein the access ticket is extracted from the response and 
placed in the second message for delivery to the target). 
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However, neither Parl^er nor M2 discuss which part of the communication pacl<et 
(i.e. header or content portion) contains the a.c.i. Nonetheless, Examiner takes official 
notice that Including information in either the header or content portion of a data packet 
is well known in the art. Thus, storing the a.c.i. in the header portion, as claimed in 
claim 3, rather than in the content portion is a matter of design choice, and would have 
been obvious to a person having ordinary skill in the art to simplify content processing of 
the packet. 

In considering claim 4, Parker further discloses that the first message has a 
header portion and a content portion (inherent in any Internet communication system), 
and further discloses extracting the a.c.i. from the packet for use in the response 
message (p. 152, H 3, wherein the access ticket is extracted from the response and 
placed in the second message for delivery to the target). 

However, neither Parker nor M2 discuss which part of the communication packet 
(i.e. header or content portion) contains the a.c.i. Nonetheless, Examiner takes official 
notice that including information in either the header or content portion of a data packet 
is well known in the art. Thus, storing the a.c.i. in the content portion, as claimed in 
claim 4, rather than in the header portion is a matter of design choice, and would have 
been obvious to a person having ordinary skill in the art to simplify header processing of 
the packet. 
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In considering clainn 5, Parker further discloses that hidden content is used in the 
response message to contain the a.c.i. (the "access ticket" is not actually seen by the 
user). 

In considering claims 6, 12 and 16, although the system taught by Parker and M2 
teaches substantial features of the claimed invention, it fails to disclose presenting an 
option to the end user device for user acceptance or to change and/or delete any of the 
user-specific information before sending the message to the another network. 
Nonetheless, Examiner takes official notice that changing user profile information in a 
network access system is well known in the art. Thus, given this knowledge, it would 
have been obvious to a person having ordinary skill in the art to change the user- 
specific information in the system taught by Parker and M2 before sending the message 
to the another network, to give the user manual control over the method of presentation 
of the requested data. 

In considering claim 7, M2 further discloses formatting the messages as a 
custom content type (p. 1, H 2, "user and resource profiles"). Thus, given the teaching 
of M2, it would have been obvious to include the custom content type in the content 
portion of the response taught by Parker, so that the user entering the second domain 
could still gain access to a personalized, customized information. 
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In considering clainn 8, Parker further discloses that at least part of the response 
message is protected by cryptographic means (p. 152, H 5, line 1, "protected 
cryptographically"). 

In considering claim 9, Examiner takes official notice that the use of HTTP on the 
Internet is notoriously well known. Therefore it would have been obvious for the 
messages taught by Parker to be HTTP messages, so that the system taught by Parker 
could be used with the majority of Internet applications and documents. 

In considering claim 10, Parker further discloses that the a.c.i. is a ticket. 
Although Parker does not explicitly use the term "cookie" or describe the use of cookies, 
the use of cookies to carry access control information and other user information is well 
known in the art, as described by M2 (p. 2, H 6, "every time a user logs in, a unique key 
is generated and used to encrypt cookies for that session,"). Thus, given the knowledge 
that cookies could carry a.c.i. information, it would have been obvious to a person 
having ordinary skill in the art to use a cookie to carry the a.c.i. information taught by 
Parker so that the information could be stored and reused, thereby decreasing 
authentication and authorization time during session login. 

In considering claims 1 1 and 14, M2 further discloses the use of user-specific 
information in requesting documents from the multi-domain SSO system (p. 1, H 2, "user 
and resource profiles"). Thus, given the teaching of M2, it would have been obvious to 
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pass instructions regarding user-specific information in the response taught by Parker 
and including the user-specific information in the second message, so that the user 
entering the second domain could still gain access to a personalized information. 

In considering claim 13, Parker further discloses an initial network device 
("remote authentication server") accessed by the end user device, the method further 
comprising: 

Prior to sending the response message, 

a. the initial network device receiving an initial access request from 
the end user device to access a protected resource on the initial network device 
(p. 152,112, lines 1-2); 

b. the initial network device performing an authentication process to 
determine if access should be granted ("authentication") and if so, responding 
with an access response message specifying the a.c.i. ("date token or certificate 
which can subsequently be used to prove the user's identity") in association with 
the domain of the initial network device and causing the end user device to send 
the first message (p. 152, H 2, lines 2-7; 1} 3, lines 1-4); and 

On an ongoing basis after performing the authentication process allowing 
subsequent access to the protected resource to requests containing the access control 
information (p. 152, col. 2, lines 4-8). 

Although Parker refers to the initial device ("remote authentication server") and 
the one network device ("remote security server") as different devices (and thus does 
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not teach that the one network device is an initial device, as claimed), it would have 
been obvious to a person having ordinary skill in the art to merge these two devices into 
one, as claimed, in order to decrease network traffic and simplify the network 
communications in the system. 

In considering claim 15, M2 further discloses that the user specific information 
comprises at least one of purchase enabling information and personal data ("user and 
resource profiles," p.1 , ^ 2). 

In considering claim 17, Parker further discloses protecting the a.c.i. information 
via cryptographic means. Therefore, it would have been obvious to a person having 
ordinary skill in the art to additionally use cryptographic means to protect the user- 
specific information to increase security of the system. 

In considering claim 18, claim 18 includes no further limitations over claims 1 , 2, 
and 4, except that claim 18 requires that the a.c.i. is in both the header and the content 
portion of the response message. Nonetheless, Examiner takes official notice that 
including information in a header and a data portion of a packet is well known. Thus, 
storing the a.c.i. in the header portion and the content portion, as claimed in claim 18, is 
a matter of design choice, and would have been obvious to a person having ordinary 
skill in the art to balance the processing on both the header and the content portion of 
the packet. 
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In considering claim 19, Parker further discloses that the another network device 
is specified in the input message (p. 152, ^ 3, lines 1-2, "user selects a target 
application server to access"). 

In considering claim 20, Parker further discloses that the another network device 
is specified by the network device (p. 152, ^ 3, lines 4-6). 

In considering claim 21, claim 21 contains no further limitations over claims 18 
and 13, except that claim 21 requires that the response to the initial access request 
includes the a.c.i. in the header portion of the packet. Nonetheless, Examiner takes 
official notice that including information in either the header or content portion of a data 
packet is well known in the art. Thus, storing the a.c.i, in the header portion, as claimed 
in claim 21, rather than in the content portion is a matter of design choice, and would 
have been obvious to a person having ordinary skill in the art to simplify content 
processing of the packet. 

In considering claim 22, Parker further discloses the claimed authentication step 
(p. 152,112, "authentication"). 

In considering claim 25, Parker further discloses a network device (server) 
adapted to implement the method of claim 18. 
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In considering claims 31-33, claims 31-33, taken as a whole, contain no further 
limitations over claim 21 , and are thus rejected for the same reasons as claim 21 . 

Claim 34 contains the same limitations as claim 31 , and is thus rejected for the 
same reasons as discussed in claim 21 as well. 

Claim 35 contains no further limitations over claims 1, 2, 1 1, and 12 combined, 
and is thus rejected for the same reasons as stated regarding those claims. 

Allowable Subject Matter 

2. Claims 23, and 27-30 are allowed. 

The following is a statement of reasons for the indication of allowable subject 
matter: In considering claim 23, the prior art of record fails to disclose or render obvious 
all of the limitations of the claim. Claims 27-30 depend from claim 23, and thus are 
allowable as well. 

Conclusion 

The prior art made of record and not relied upon is considered pertinent to 
applicants disclosure, 

a. The newly-cited PR Newswire article regarding MSN and the "Microsoft 
Passport" system discloses a "single-sign-in" service extendible across multiple Internet 
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domains, such as "all MSN sites, the Hotmail ™ Web-based e-mail service, the 
Microsoft Web site, and third-party sites." See p. 3, lines 1-4 of the printout. 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .1 36(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Bradley Edelman whose telephone number is (703) 306- 
3041 . The examiner can normally be reached on Monday to Friday from 8:30 AM to 
5:00 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor. Glen Burgess can be reached on (703) 305-4792. The fax phone numbers 
for the organization where this application or proceeding is assigned are as follows: 

For all After Final papers: (703) 746-7238. 

For all other correspondences: (703) 746-7239. 
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Any inquiry of a general nature or relating to ttie status of this application or 
proceeding should be directed to the receptionist whose telephone number is (703) 305- 
3900. 



BE 

January 15, 2004 




Bf^BURGE 
SUPERVISORY PATENT EXAMINER 
TECHNOLOGY CENTER 2100 



